The problem of your (our) external mail gateway using internal DNS views
Suppose, not hypothetically, that you have an external mail gateway
(your external MX, where incoming email from the Internet is handed
to you). This external MX server is a standard server and so you
install it through your standard install process. As part of that standard install,
it gets your normal
/etc/resolv.conf, which points it to your
local DNS resolvers. If you have a split horizon DNS setup, your local, internal DNS resolvers will
naturally provide the internal view, complete with internal only
hosts and entire zones for purely internal 'sandbox' networks (in our case all under a
.sandbox DNS namespace).
Now you have a potential problem. If you do nothing special with
your external MX, it will accept SMTP envelope sender addresses (ie
MAIL FROM addresses) that exist only in your internal DNS zones.
After all, as far as it is concerned they resolve as perfectly good
DNS names with A records, and that's good enough to declare that
the host exists and the mail should be accepted. You might think
that no one would actually send email with such an envelope sender,
and this is partially correct. People in the outside world are
extremely unlikely to do this. However, people setting up internal
hosts and configuring mailers in straightforward ways are extremely
likely to send email to your external MX, because that's where your
domain's MX points. If their internal machine is trying to send
email to 'firstname.lastname@example.org', by default it will go through your
(If the email is handled purely locally and doesn't bounce, things may go okay. If someone tries to forward their email to elsewhere, it's probably not going to work.)
Fortunately it turns out that I already thought of this long ago (possibly after an incident); the Exim configuration on our external MX specifically rejects *.sandbox as an envelope sender address. This still lets through internal only names that exist in our regular public domains, and there are some of those. This is probably not important enough to try to fix.
Fixing this in general is not straightforward and simple, because you probably don't already have a DNS resolver that provides an external view of the world (since you don't normally need such a thing). If I had to come up with a general fix, I would probably set up a local resolving DNS server on the external mail gateway (likely using Unbound) and have that provide a public DNS view instead of the internal one. Of course this might have side effects if used on a system wide level, which is probably the only way to really do it.